セキュリティの小技(TCP/IP 編): むらさきのくも 2009
FreeBSD12R on AWS EC2 | のつこつ日誌 2020
[PukiWiki:wiki] BSD/FreeBSD/Tuning : Cocelo Style 2008
/etc/rc.conf
/etc/rc.conf tcp_extensions="NO" tcp_drop_synfin="YES" icmp_drop_redirect="YES"
設定で
net.inet.tcp.rfc1323: 0 net.inet.tcp.drop_synfin: 1 net.inet.icmp.drop_redirect: 1
になる
sudo sysctl net.inet.tcp.rfc1323=0 sudo sysctl net.inet.icmp.drop_redirect=1 sudo sysctl net.inet.tcp.drop_synfin=1
man rc.conf
/etc/sysctl.conf
/etc/sysctl.conf net.inet.sctp.blackhole=2 net.inet.tcp.blackhole=2
sudo sysctl net.inet.sctp.blackhole=2 sudo sysctl net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1 を設定すると外部からの traceroute に応答しなくなる
UDP
Enabling blackhole behaviour turns off the sending of an ICMP port un-
reachable message in response to a UDP datagram which arrives on a port
where there is no socket listening. It must be noted that this behaviour
will prevent remote systems from running traceroute(8) to a system.
man blackhole
SCTP support is now available as a new sctp.ko kernel module and is no longer compiled into GENERIC by default. e64080e79c53 (Sponsored by The FreeBSD Foundation)
https://www.freebsd.org/releases/13.0R/relnotes/
Disabling TCP Timestamp response on FreeBSD
Taken from Rapid7 Vulnerabilities page:
Description
The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host’s uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.
Solution
Disable TCP timestamp responses on FreeBSD
Set the value of net.inet.tcp.rfc1323 to 0 by running the following command:sysctl -w net.inet.tcp.rfc1323=0Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
net.inet.tcp.rfc1323=0
My adventures in FreeBSD — Disabling TCP Timestamp response on FreeBSD
